Filter by Category

SFTP Server in the DMZ or Private Network

Many organizations have an SFTP server installed where their trading partners can connect to securely upload and download sensitive files.

SFTP Server in the DMZ

Traditionally SFTP Servers have been installed in the DMZ (or public facing) segment of the network since organizations were fearful of opening inbound ports into the Private (internal) network.

SFTP server + DMZ

This approach eliminates the need to write scripts for moving files back and forth. The big downfall of this approach is that ports were traditionally opened into the private network for trading partners to gain access to the SFTP server. These open ports could create a potential risk for attackers to gain access to the private network. In today's security-conscious environment, most IT auditors do not like to see any inbound ports opened into the private network... especially if you are storing sensitive PCI DSS or HIPAA data on those servers.

Gateway in the DMZ while keeping the SFTP Server in the Private Network

An approach that is quickly gaining in popularity is to implement a gateway component in the DMZ. The gateway will serve as an enhanced reverse proxy which does not require inbound ports into the private network.

sftp server - gateway

At startup time, the SFTP server will establish a special control channel with the gateway, which is kept alive continuously. When partners connect to the gateway, it will make requests over the existing control channel to the SFTP server. The SFTP server will then open any data channels needed back through the gateway to service the trading partners. The whole process is transparent to the trading partners. No data is ever stored in the DMZ since it is simply streamed through the gateway.

A gateway in the DMZ therefore solves two major security issues:

  1. No files need to be stored in the DMZ, including user credentials
  2. No inbound ports need to be opened into the Private network

Since a proprietary control channel is used to communicate between the gateway and the SFTP server, you will need to purchase both components from a single vendor. When looking for the right gateway for your organization, make sure it is easy to set up and manage. It is critical that it does not require inbound ports into the private network or require any data to be stored in the DMZ.

DMZ gateway securityWant to learn more about DMZ Gateways? View this informative whitepaper: DMZ Gateways: Secret Weapons for Data Security.

Latest Posts


Making a Case for MFT

November 19, 2019

You’re not on trial when you present a new tool or software to internal stakeholders, but it can certainly feel that way some days. Making the case to adopt managed file transfer software can also…


Should You Use a File Sharing App?

November 12, 2019

Should You Use a File Sharing App?File sharing apps like Dropbox and Google Drive certainly have their appeal. They are user-friendly, often free, and do the job of getting information from one user…


File Transfers: Do Them the Right Way

November 7, 2019

File Transfer Done Right When it comes to transferring information such as patient files or legal files from point A to point B, you’ve got options. Lots of options. However, not all file transfers…


7 Essential Resources on PCI DSS Security

November 5, 2019

Note from the Editor: This article was originally published in February 2017. It has been updated with resources current to PCI DSS version 3.2.1. Did you know that 80% of…


How Can an EDI Solution Simplify Business Processes?

November 1, 2019

What is EDI? Electronic Data Interchange (EDI) is a flat file format or technology that B2B trading partners use to send and receive business transactions. It’s a straightforward and secure…